5 Questions CEOs Should Ask About Cyber Risks
October 13, 2016
Herjavec Group Founder & CEO, Robert Herjavec, recently visited the Pensacola Security Operations Centre for the US Department of Homeland Security. While on site he spoke to the team about security at the enterprise level and the importance of balancing needs for security in the physical realm with those in the digital realm.
One of the DHS team’s primary initiatives is to ensure security awareness across all levels of an organization, particularly across federal entities. We believe that C-level executives in particular should play an active role in cyber risk management discussions to ensure any risks taken are acceptable and aligned with overall business needs. C-level executives are often those allocating final budgets internally so it’s imperative they have a strong understanding of the benefits of a proactive cybersecurity defense.
President Barack Obama and the Department of Homeland Security (DHS) recognize October as National Cybersecurity Awareness Month (NCSAM). Now in its 13th year, this month is focused on increasing awareness about the importance of cybersecurity as well as personal and enterprise cyber hygiene. Herjavec Group is proud to be a NCSAM Champion!
To kick off our Cybersecurity Awareness month series, please review the questions below that every CEO should be asking about cyber risks. Our intent is to have you start a conversation in your own boardroom so that your executive team can help guide discussions on information security and promote a culture of cybersecurity at work. How is our executive leadership informed about the current level and business impact of cyber risks to our company?
How is our executive leadership informed about the current level and business impact of cyber risks to our company?
In order to respond timely and minimize the impact of a cyber incident, C-level executives must be prepared with all of the information about current risks and how they may impact the business, along with alternative action plans. Be sure to establish a process for communication between the executives and those responsible for risk management.
What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?
Performing a risk assessment by identifying critical assets and associated impacts from cyber threats will help in prioritizing protective measures and allocating resources. Similarly, this is critical to understanding a company’s risk exposure – whether financial, competitive, reputational or regulatory.
How does our cybersecurity program apply industry standards and best practices?
When it comes to a comprehensive security program, satisfying compliance requirements alone does not adequately address new and dynamic threats or sophisticated attackers. Leveraging industry best practices in addition to implementing compliance requirements will enable timely response and recovery for security incidents.
How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
Detecting anomalies in traffic and event patterns will ensure that cyber incidents are escalated and responded to accordingly. Regular communication between the CEO and those accountable for managing cyber risks provides awareness of associated risks and business impact. In order to detect, analyze and correlate data anomalies, the organization should recruit mature cybersecurity resources internally, or consider engaging a third party managed services provider.
How comprehensive is our cyber incident response plan? How often is it tested?
Early response actions can limit or even prevent damage caused by a cyber incident. Be sure to coordinate cyber incident response planning across the entire enterprise (Chief Information Security Officer, business leaders, system operators, continuity planners, general counsel and public affairs) to ensure you are ready for a cyber incident the moment it happens.
Click below to read the detailed list of recommendations for all C-level executives, originally published by the DHS: